ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
|Maintainer:||Joachim Metz, David Loveall|
|Genre:||File type support|
The ewftools are a Linux based programs to read and write EnCase E01 and SMART s01 bitstream copies of storage media. It has been ported to other platforms like *BSD, MacOS-X and Windows as well.
The ewftools are part of libewf package which was created in 2006. Libewf is a rewrite of earlier work on the EnCase 4 file format by Michael Cohen part of PyFlag and the Expert Witness Compression Format Specification by [Andrew Rosen]. It has been updated to read and write EnCase 1 to 6 E01 files and SMART s01 files. Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
Currently libewf partially supports the EnCase L01 format but this functionality has been disabled.
The ewftools consists of:
- ewfacquire and ewfacquire , which writes storage media data from a device handle to a set of E01 or s01 files.
- ewfexport, which exports storage media data in a set of E01 or s01 files to raw (dd) format or a specific version of E01 or s01 files.
- ewfinfo, which shows the metadata in a set of E01 or s01 files.
- ewfverify, which verifies the storage media data in a set of E01 or s01 files.
- mount_ewf.py, which allows the storage media data in a set of E01 or s01 files to be mounted.